From: Tyler Close <tyler@waterken.com>
Replying To: Jonathan A Rees <jar8@mumble.net>
Date: Wed, 11 Dec 2002 08:57:28 -0400
Subject: Re: [e-lang] Lampson, ACLs, and capabilities

On Monday 09 December 2002 23:37, Jonathan A Rees wrote:
> My feeling is that it's possible that he's right - you may need *both*
> capabilities (for everyday programming, confinement, etc.) *and* some
> sort of objective view of possible and prevented operations.  But that
> view needn't be ACL's; it could be, e.g., some kind of proof system
> for verifying security policies.  And as we know such a system should
> be built *using* capabilities.

Don't we also already have a standard design pattern for this
problem? Give each user a unique revokeable forwarder.  Keep a data
structure that indexes the granted forwarders.

> The fact that ACL's give the appearance of security is good voodoo.
> The appearance of security is as important as security itself.  As
> things stand now, the capability-based answer to the question "is it
> protected" may be longer than the attention span of the typical ACL
> user.

Explaining the capability design should be easy. I did it in two
short sentences. 

Tyler 
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang